By karger on
I'm running drupal 4.6, and have run into a problem with access control. While nodes themselves are access controlled---and in particular, I can restrict "anonymous users" from access to the nodes---I can't figure out how to restrict access to the blocks on the sidebars. I am managing a book node, and one of the blocks is the book outline. Each book page shows "access denied" to any anonymous user; however, such an anonymous user will see the book outline, and can navigate through it to learn all of the section headings etc., which is a privacy violation I would like to prevent.
Comments
You will need to play around
You will need to play around with custom blocks to accomplish this.
Here's an example in the handbook
http://drupal.org/node/27690
-sp
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
Wrapping other blocks?
This seems like it would work, IF there were an easy way for me to "wrap" another block inside my own. I tried the obvious step of calling book_block and returning the result, but that produced junk. What should I do instead?
Drupal 4.7
Will solve this by letting you code visibility. All hail Dries for this fine idea.
--
Read my developer blog on Drupal4hu.
--
Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.
Hail Dries!
Hail Dries! ;)
--
Please read the handbook, search the forums, then ask...
http://drupal.etopian.net (Modules and Drupal Services)
Problem in access control design?
OK, I've gotten what I needed with the book module, but I had to write a custom block to do it. This seems questionable. It seems that by default, any time someone implements a block and it gets enabled, it can be viewed by anonymous users. This can only be prevented if the block developer thinks to do their own access control checking, or if one writes custom block code for each block he wishes to enable. This lack of a centralized permission mechanism for blocks seems a real access-control hole. At the very least, shouldn't there be some kind of "view blocks" permission that can be granted to or withheld from various roles?